Businesses in Europe have been in the firing line of GDPR since 2020. In December 2020, Facebook set aside €302 million for possible GDPR fines as it is currently subject to investigations by the Irish Data Protection Commission. The same month, France levied the €100 million GDPR fine on Google for placing cookies on users’ devices without their consent. The year 2021 is no different and Big Tech continues to face the heat of regulators in Europe, with the recent colossal fines of €746 million and €225 million on Amazon and Whatsapp respectively.

Since its enforcement in May 2018, GDPR authorities have imposed over €1.2 billion in fines, according to the estimates by Privacy Affairs. With a record fine to Amazon, Luxemburg tops the list with the highest aggregate fines of more than €746 million, followed by Italy with €84 million, France and Germany.

Broadly speaking, there are two levels of GDPR fines. The regulatory authorities calculate the fines based on several criteria (read here). The lower level GDPR fine covers up to €10 million or 2% of worldwide annual income for the previous year, whichever is higher. The higher level of fine covers up to €20 million or 4% of worldwide annual income, whichever is higher.

We’ve looked at the biggest GDPR fines in 2018 and 2019. To keep up with GDPR fines of 2020 and 2021, read on.

GDPR Fines of 2020 and 2021

1. Amazon, €746 million 

Amazon Europe Core faces a record €746 million ($886.6 million) fine from the European Union for violating the GDPR. The Luxembourg National Commission for Data Protection (CNPD) imposed the fine in a July 16 decision, which was disclosed by Amazon in a regulatory filing. The Luxembourg fine dwarfs anything that has been imposed before, making it the biggest GDPR fine ever.

Since Amazon’s European headquarters is stationed in Luxembourg, the regulator handled the proceedings against the company but hasn’t publicized the details of the violations. In response to the fine, Amazon has stated that they plan to appeal and that it intends “to defend ourselves vigorously in this matter.”

2. WhatsApp, €225 million

Facebook-owned WhatsApp has been fined €225m ($266 million) by Ireland’s data protection watchdog for breaching the GDPR. Ireland’s Data Privacy Commissioner (DPC), the lead regulator for Facebook, announced the decision that the fine relates to an investigation from 2018, noting that WhatsApp has not been transparent enough about how it handles information.

It is the largest fine ever from the Irish DPC, and the second-highest under the GDPR in the EU. The regulator has also ordered WhatsApp to bring its compliance in line with the GDPR and update its privacy policy and change how it notifies users about sharing their data.

3. Google, €100 million

In December 2020, French data regulator CNIL fined €60 million on Google LLC and €40 million on Google Ireland for violating the GDPR and French Data Protection Act. The fine was levied for placing advertising cookies on the computers of users without obtaining prior consent and without providing adequate information about the same.

In January 2019, Google was fined €50 million by CNIL for violating the GDPR norms. The fine was issued for Google’s limited information, lack of transparency, and lack of valid consent from users for personalized ads. Google challenged the verdict, but in June 2020, the Council of State in France rejected the appeal and upheld the penalty.

4. Amazon, €35 million

Along with Google, CNIL fined €35 million on Amazon Europe Core for cookie consent violations. CNIL investigated Amazon’s website (amazon.fr) from December 2019 to May 2020 and noticed that Amazon deposited cookies on users’ devices without obtaining prior consent. Like Google, Amazon also failed to provide adequate information about the cookies and how visitors of their French websites could refuse cookies.

Looking for a GDPR compliant cookie consent solution?

CookieYes is a new and easy solution to make your website comply with the GDPR Cookie Law from Cookie Law Info. Join the 1 Million+ websites using our solutions now!

5. H&M, €35.3 million

In October 2020, the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35.3 million for employee surveillance. It is the largest fine issued for an employment-related breach since the GDPR came into force. 

A 2019 data breach revealed that H&M created and maintained profiles of the private lives of employees at their Nuremberg service centre for at least five years. The violations included recording personal information from informal conversations, including details of holidays, medical symptoms and diagnoses for illnesses and religious beliefs.

6. TIM, €27.8 million

In January 2020, the Italian Data Protection Authority (Garanate) imposed a €27.8 million GDPR fine on telecommunications operator TIM for violation of the GDPR guidelines. The fines were issued for unauthorized data processing activities, aggressive marketing strategy, invalid collection of consent and excessive data retention period.

From January 2017 to 2019, Garante received several hundreds of complaints regarding aggressive promotional campaigns of TIM.  Millions of users were flooded with cold calls and unsolicited communications, including non-customers and users in the excluded list.

7. British Airways, €22 million

In October 2020, the UK’s Information Commissioner’s Office (ICO) fined British Airways a €22 million (£20 million) fine for the 2018 data breach. The breach affected both the personal and credit card data of more than 400,000 customers. The data stolen included employee login credentials, payment card numbers and travel booking details as well as names and addresses. 

The ICO imposed a considerably smaller fine than the £183 million fine that was originally issued in 2019. It noted that “the economic impact of Covid-19” was taken into account for this decision. However, it is still the largest fine issued by the data protection authority to date.

8. Marriott International, €20.4 million 

ICO fined Marriott International £18.4 million for the breach of customers’ personal data. The fine is related to a data breach suffered after the 2014 cyber attack on Mariott’s Starwood chain. The incident wasn’t discovered until November 2018. The breach included names, email addresses, phone numbers, unencrypted password numbers, arrival/ departure information, guests’ VIP status and loyalty programme membership numbers.

As per the ICO, the breach is estimated to have affected seven million guest records of customers in the UK. Similar to the British Airways fine, owing to the pandemic, ICO reduced the fine from £99 million that it initially issued in July 2019.

9. Wind Tre, €16.7 million

In July 2020, Garante fined over €16.7 million on Wind Tre, a mobile telecoms operator, for aggressive direct marketing techniques that violated the GDPR. The company used customers’ personal data without their consent for unsolicited communications through SMS, email, phone calls, and automated calls.

The complainants also informed the Data Protection Authority about their inability to withdraw consent or object to the processing of their data for marketing as the company’s privacy policy did not provide accurate contact information.

10. Vodafone, €12.25 million

In November 2020, the Italian Data Protection Authority (Garante) issued a €12.25 million GDPR fine to telecommunications company Vodafone Italia. The company was fined for aggressive telemarketing practices.

After receiving complaints of unsolicited calls from Vodafone, the Garante launched an investigation. It found that Vodafone’s customer information storage system had multiple flaws. The company also purchased contact lists of over 4.5 million people from external providers without proper consent.

Vodafone is also banned from further processing data for marketing or commercial purposes with data acquired from third parties without user consent. This is the third-largest fine the Italian Garante has issued so far, after the €27.8 million for TIM and €16.7 million for Wind Tre.

11. EGL, €11.5m

In January 2020, Italian data protection watchdog Garante fined Eni Gas e Luce (EGL) with an €11.5 million penalty.  The Italian electricity and gas supplier was fined for the illegal processing of personal data and unsolicited contracts. 

The first fine of €8.5 million was served for illegally processing personal data for telemarketing. EGL made marketing calls to customers that had opted out of receiving such promotional calls.

The second fine of €3 million was imposed based on the alleged breaches due to unsolicited contracts in the free market that affected 7200 customers.

12. Notebooksbilliger.de, €10.4 million

In January 2021, the German data regulator of Lower Saxony fined a German laptop retailer Notebooksbilliger.de for €10.4 million. The penalty was imposed for monitoring employees through constant video surveillance at all times for the past two years without a legal basis.

Cameras were installed in the employees’ common areas, workplace, warehouse, and sales points. The company also recorded customers without their consent by placing cameras in specific places such as seating areas or sales rooms where customers tested the products.

This is the second fine issued by the Hamburg-based data regulator for employee surveillance after it fined H&M in 2020. 

13. Google, €7 million

Google makes it to the list again. In March 2020, the Swedish Data Protection Authority (SDPA) fined Google for “failure to comply” with the GDPR.  The internet giant was fined for failing to remove search result links under GDPR’s right to be forgotten. This is the second-largest fine for Google, after the €100 million issued by the French CNIL. 

In 2018, the DPA received complaints about Google’s non-compliance with the previously issued order that required them to remove several search result listings. So, the DPA initiated a follow-up audit in 2018.

The Authority found that Google did not properly remove two of the search result listings that the DPA had ordered them to remove back in 2017. The DPA also requires Google to stop informing website owners of delistings as this may give site owners information about the person who requested the delisting. 

14. Caixabank, €6 million

The Spanish DPA AEPD fined financial services company Caixabank €6 million in January 2021 for misuse of customer data. It is the largest GDPR fine handed out by Spain. It was found that information provided by CaixaBank did not provide uniform details across different documents and channels, and used imprecise terminology in the privacy policy. 

The bank also provided insufficient information about the category of personal data processed, user profiles, the legal basis of processing as well as the exercise of rights and data retention periods. Additionally, the company also failed to meet the requirements of valid consent and there were “deficiencies in the processes enabled” to obtain such consent. 

15. BBVA, €5 million

In December 2020, AEPD also issued GDPR fines against financial services giant BBVA (Banco Bilbao Vizcaya Argentaria). BBVA was fined for using imprecise terminology in the privacy policy, and providing insufficient information about the category of personal data processed. (To know what a GDPR compliant privacy policy is, read this)

BBVA failed to obtain consent before the sending of promotional SMS messages to a customer and did not have a specific mechanism for obtaining user consent. Besides, BBVA was also fined for the illicit transfer of personal data to the group companies.

This is the second biggest fine imposed by Spain and it shares many similarities with the fine imposed on Caixabank. The two record fines suggest a significant toughening of the approach on GDPR by Spain.

16. AOK, €1.24 million

In June 2020, the Data Protection Authority of Germany issued a €1.24 million fine on health insurance company Allgemeine Ortskrankenkasse (AOK). The fine was levied for the lack of technical and organizational measures required under Art. 32 GDPR.

Between 2015 and 2019 the AOK organised lotteries and collected personal data of the participants, including their contact details and current health insurance affiliations. The company used this data of individuals for advertising purposes. The DPA found that AOK processed the data of 500 people without their consent. 

The investigation also found AOK did not have the proper measures in place to conduct such activity. 

17. BKR,  €830,000

In August 2020, the Dutch Data Protection Authority imposed its largest GDPR fine of €830,000 to date to Dutch Credit Registration Bureau (BKR). The fines were issued for non-compliance with the right to data subject requests of the GDPR between May 2018 and March 2019.

The Dutch DPA found that BKR had infringed the principles of Article 12 by charging a fee to data subjects wishing to access personal data in a digital format. BKR only provided free of charge access to their data once a year via post, therefore discouraging data subjects to file an access request. 

GDPR Cookie Fines

Remember Google’s dramatic €100 million GDPR fine for cookie violations we discussed in this blog? Google is not the only one. In 2019, the Spanish DPA fined Vueling Airlines €30, 000 for not providing users with the option to refuse cookies. In 2020, the same Authority issued €30,000 fines on Twitter for an unlawful cookie banner. That big a fine for a cookie banner? Yes. Twitter failed to provide a link in their cookie banner to reject the use of cookies or to manage cookie preferences.

The trend continued when CNIL issued fines against Carrefour for GDPR non-compliance including cookie consent violations. It imposed a fine of €2,250,000 on Carrefour France and €800,000 on Carrefour Banque. The violations included Carrefour websites automatically placing cookies without consent and using the cookies for advertising purposes. 

Here’s where CookieYes can help you with GDPR cookie consent. As the regulators up enforcement with big GDPR fines, businesses should buck up.

CookieYes is a cookie consent solution for your website that will help you to comply with data protection laws like the GDPR (EU) and CCPA (California). 

With CookieYes, you can scan your website for cookies and add them to your site’s list of cookies. 

You can easily add a fully customizable cookie consent banner and make it available in 30+ languages.

In the consent log dashboard, you can also access a record of users’ consents and their cookie preferences. This can help you demonstrate your compliance during audits.

GDPR Consent Log

The free cookie policy generator allows you to create a GDPR compliant Cookie Policy exclusively for your business.

Sign up for free today!